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ABSTRACT 

In  this  work,  we  propose  a  highly  scalable  cluster-based 
hierarchical  trust  management  protocol  for  wireless  sensor 
networks  to  effectively  deal  with  selfish  or  malicious  nodes. 
Unlike  prior  work,  we  consider  multidimensional  trust  attributes 
derived  from  communication  and  social  networks  to  evaluate  the 
overall  trust  of  a  sensor  node.  Our  peer-to-peer  trust  evaluation 
method  leverages  the  cluster-based  hierarchical  structure  for 
efficient  communications.  We  develop  a  probability  model  using 
stochastic  Petri  net  techniques  to  analyze  the  performance  of  the 
proposed  trust  management  protocol.  We  validate  the  protocol 
design  by  comparing  subjective  trust  generated  as  a  result  of 
protocol  execution  against  objective  trust  obtained  from  actual 
node  status.  We  apply  our  hierarchical  trust  management  protocol 
to  trust-based  geographical  routing  as  an  application.  Our  results 
demonstrate  that  trust-based  geographic  routing  under  identified 
design  settings  can  approach  the  ideal  performance  level 
achievable  by  flooding-based  routing  in  message  delivery  ratio 
and  message  delay  without  incurring  substantial  message 
overhead.  Furthermore,  it  can  significantly  outperform  traditional 
geographic  routing  protocols  that  do  not  use  trust  concept  in 
selecting  forwarding  nodes  in  message  delivery  ratio  over  a  wide 
range  of  design  parameter  settings. 
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1.  INTRODUCTION 

A  wireless  sensor  network  (WSN)  is  usually  composed  of  a  large 
number  of  spatially  distributed  autonomous  sensor  nodes  (SNs)  to 
cooperatively  monitor  physical  or  environmental  conditions,  such 
as  temperature,  sound,  vibration,  pressure,  motion  or  pollutants.  A 
SN  deployed  in  the  WSN  has  the  capability  to  read  the  sensed 
information  and  transmit  or  forward  information  to  base  stations 
or  a  sink  node  through  multi-hop  routing.  While  SNs  have 
popularly  used  for  various  monitoring  purposes  such  as  wild 
animals,  weather,  or  environments  for  battlefield  surveillance, 
they  also  have  severely  restricted  resources  such  as  energy, 
memory,  and  computational  power.  Further,  wireless 
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environments  give  more  design  challenges  due  to  inherently 
unreliable  communications.  A  more  serious  issue  is  that  nodes 
may  be  compromised  and  perform  malicious  attacks  such  as 
packet  dropping  or  packet  modifications  to  disrupt  normal 
operations  of  a  WSN  wherein  SNs  usually  perform  unattended 
operations.  A  large  number  of  SNs  deployed  in  the  WSN  also 
require  a  scalable  algorithm  for  highly  reconfigurable 
communication  operations.  In  this  work,  we  consider  a  scalable 
hierarchical  structure  to  deal  with  a  large  number  of  SNs  with 
trust  management  mechanisms  to  identify  selfish  or  malicious 
nodes  for  trust-based  routing  in  WSNs. 

We  propose  a  hierarchical  trust  management  protocol  for  cluster- 
based  WSNs  for  efficient  communications.  Unlike  prior  work,  we 
consider  multidimensional  trust  attributes  derived  from 
communication  and  social  networks  to  evaluate  the  overall  trust  of 
a  sensor  node  (SN)  for  WSN  applications  wherein  both  social 
trust  and  QoS  trust  are  important  for  mission  execution.  We  apply 
our  hierarchical  trust  management  protocol  to  trust-based 
geographical  routing  as  an  application.  Traditional  geographic 
routing  [5,  6]  uses  geographic  location  information  to  select  the 
next  forwarding  node  closest  to  the  destination  node,  so  that  a 
message  if  delivered  successfully  may  be  delivered  with  the 
shortest  delay.  However,  in  the  presence  of  selfish  and  malicious 
nodes,  geographical  routing  may  result  in  low  message  delivery 
ratio  because  the  next  forwarding  node  selected  may  be 
compromised  or  selfish,  resulting  in  message  losses.  Unlike 
traditional  geographical  routing,  trust-based  geographical  routing 
uses  both  trust  and  distance  as  criteria  to  select  the  most 
trustworthy  neighbor  nodes  among  those  closest  to  the  destination 
node  for  message  forwarding  so  that  a  message  may  be  delivered 
successfully  with  a  high  probability.  The  key  design  issues 
considered  include  trust  formation  (i.e.,  how  a  peer-to-peer  trust 
value  is  formed),  trust  aggregation  (i.e.,  how  information  is 
aggregated  in  parallel),  and  trust  composition  (i.e.,  what  trust 
components  are  considered  and  their  optimal  weights)  of  the 
hierarchical  trust  management  protocol  and  its  application  to  trust- 
based  geographical  routing. 

In  the  literature,  trust  has  been  used  in  WSNs  for  assessing  the 
availability,  reliability,  or  security  property  of  a  node  (e.g., 
whether  a  node  is  malicious  or  not)  based  on  past  interaction 
experiences  [1,  4,  7,  8,  10,  12].  Ganeriwal  et  al.  [4]  proposed  a 
reputation-based  framework  for  data  integrity  in  WSNs.  The 
proposed  reputation  system  takes  information  collected  by  each 
node  using  a  Watchdog  mechanism  (for  direct  monitoring  and 
observations)  to  detect  invalid  data  and  uncooperative  nodes.  Yao 
et  al.  [12]  proposed  a  parameterized  and  localized  trust 
management  scheme  for  WSN  security,  particularly  for  secure 
routing,  where  each  node  only  maintains  highly  abstracted 
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parameters  to  evaluate  its  neighbors.  Aivaloglou  and  Gritzalis  [1] 
proposed  a  hybrid  trust  and  reputation  management  protocol  for 
WSNs  by  combining  certificate-based  and  behavior-based  trust 
evaluations.  However,  [1,  4,  12]  cited  above  only  considered  a 
node’s  QoS  property  in  trust  evaluation  based  on  a  flat 
architecture.  Shaikh  et  al.  [10]  proposed  a  group-based  trust 
management  scheme  for  clustered  WSNs  in  which  each  SN 
performs  peer  evaluation  based  on  direct  observations  or 
recommendations,  and  each  cluster  head  (CH)  evaluates  other 
CHs  as  well  as  SNs  under  its  own  cluster.  This  work  is  similar 
with  ours  in  that  a  hierarchical  structure  is  employed  for 
scalability.  However,  they  only  considered  QoS  metrics  (i.e.  the 
message  delivery  ratio  in  a  time  window)  based  on  direct 
observations.  Liu  et  al.  [7]  and  Moraru  et  al.  [8]  also  proposed 
trust  management  protocols  and  applied  them  to  geographic 
routing  in  WSNs.  However,  no  hierarchical  trust  management  was 
considered  for  managing  clustered  WSNs.  Also,  their  work 
evaluated  trust  based  on  QoS  aspects  of  a  SN  only  such  as  packet 
dropping  and  the  degree  of  cooperativeness  while  our  work 
considers  both  QoS  and  social  trust  for  trust  evaluation  of  a  SN. 

2.  SYSTEM  MODEL 

We  consider  a  cluster-based  WSN  consisting  of  multiple  clusters, 
each  with  a  cluster  head  (CH)  and  a  number  of  SNs  in  the 
corresponding  geographical  area.  The  CH  in  each  cluster  may  be 
selected  based  on  an  election  protocol  such  as  HEED  [13].  A  SN 
forwards  its  sensor  reading  to  its  CH  through  SNs  in  the  same 
cluster  and  the  CH  then  forwards  the  data  to  the  base-station  or 
the  destination  node  (or  sink  node)  through  other  CHs.  Leveraging 
this  two-level  of  hierarchy  in  the  WSN,  our  trust  management 
protocol  is  conducted  using  periodic  peer-to-peer  trust  evaluation 
between  two  SNs  and  between  two  CHs.  At  the  SN  level,  each  SN 
is  responsible  to  report  its  peer-to-peer  trust  evaluation  results 
towards  other  SNs  in  the  same  cluster  to  its  CH  which  applies 
statistical  analysis  and  performs  CH-to-SN  trust  evaluation 
towards  all  SNs  in  its  cluster. 

Unlike  prior  work,  we  compose  our  trust  metric  by  considering 
both  social  trust  and  QoS  trust  to  take  into  account  the  effect  of 
both  aspects  of  trust  on  trustworthiness.  Social  trust  may  include 
friendship,  honesty,  privacy,  similarity,  betweenness  centrality, 
and  social  ties  (strengths)  [3].  QoS  trust  may  include  competence, 
cooperation,  reliability,  task  completion  capability,  etc.  In  this 
work,  we  adopt  intimacy  (for  measuring  social  ties)  and  honesty 
(i.e.,  whether  a  node  is  compromised  or  not)  to  measure  social 
trust  derived  from  social  networks.  We  choose  energy  (for 
measuring  competence)  and  unselfishness  (for  measuring 
cooperativeness)  to  measure  QoS  trust  derived  from 
communication  networks.  The  intimacy  trust  component  reflects 
the  relative  degree  of  interaction  experiences  between  two  nodes. 
The  honesty  trust  component  indicates  whether  a  node  is 
compromised  (being  an  inside  attacker)  or  not  based  on  intrusion 
detection  capability  in  the  system  such  as  software-based  code 
attestation  [2].  Energy  is  one  most  important  metric  in  WSNs 
since  SNs  are  constrained  in  energy  and  we  use  energy  as  a  QoS 
trust  metric  to  measure  if  a  SN  is  capable  of  performing  its 
intended  functionality.  The  unselfishness  trust  component  reflects 
if  a  SN  can  cooperatively  execute  the  intended  protocol. 

Our  trust  management  protocol  can  apply  to  any  WSN  consisting 
of  heterogeneous  SNs  with  vastly  different  initial  energy  levels 
and  different  degrees  of  maliciousness  or  selfishness.  We  consider 
a  clustered  WSN  in  which  a  SN  may  adjust  its  behavior 


dynamically  according  to  its  own  operational  state  and 
environmental  conditions.  A  SN  is  more  likely  to  become  selfish 
when  it  has  low  energy  or  when  it  has  many  unselfish  neighbor 
nodes  around.  Further,  a  SN  is  more  likely  to  become 
compromised  when  it  has  low  energy  (a  node  with  high  energy 
may  perform  better  energy-consuming  defenses  against  attackers) 
or  when  it  has  more  compromised  neighbors  around.  A 
compromised  SN  can  perform  various  attacks  such  as  message 
dropping,  good-mouthing  attacks  (recommending  a  bad  node  as  a 
good  node),  and  bad-mouthing  attacks  (recommending  a  good 
node  as  a  bad  node).  A  CH  consumes  more  energy  than  SNs. 
After  a  SN  or  CH  is  compromised,  it  may  consume  more  energy 
to  perform  attacks.  On  the  other  hand,  a  selfish  node  consumes 
less  energy  than  unselfish  nodes  as  its  selfish  behavior  is  reflected 
by  stopping  sensing  functions  and  arbitrarily  dropping  messages. 

3.  HIERARCHICAL  TRUST  PROTOCOL 

Our  hierarchical  trust  management  protocol  maintains  two  levels 
of  trust:  SN-level  trust  and  CH-level  trust.  Each  SN  evaluates 
other  SNs  in  the  same  cluster  while  each  CH  evaluates  other  CHs 
and  SNs  in  its  cluster.  The  peer-to-peer  trust  evaluation  is 
periodically  updated  based  on  either  direct  observations  or 
indirect  observations.  When  two  nodes  are  neighbors  within  radio 
range,  they  evaluate  each  other  based  on  direct  observations  via 
snooping  or  overhearing.  Each  SN  sends  its  trust  evaluation 
results  toward  other  SNs  in  the  same  cluster  to  its  CH.  Each  CH 
performs  trust  evaluation  toward  all  SNs  within  its  cluster. 
Similarly,  each  CH  sends  its  trust  evaluation  results  toward  other 
CHs  in  the  WSN  to  a  “CH  commander”  which  may  reside  on  the 
base  station  if  one  is  available,  or  on  a  CH  elected  if  a  base  station 
is  not  available.  The  CH  commander  performs  trust  evaluation 
toward  all  CHs  in  the  system.  The  election  protocol  is  outside  of 
the  scope  of  the  paper. 

These  two  levels  of  peer-to-peer  trust  evaluation  process  consider 
four  different  trust  components  as  described  earlier:  intimacy, 
honesty,  energy,  and  unselfishness.  The  trust  value  that  node  i 
evaluates  towards  node  j  at  time  t ,  ^(t),  is  represented  as  a  real 
number  in  the  range  of  [0,  1]  where  1  indicates  complete  trust,  0.5 
ignorance,  and  0  distrust.  7^(t)  is  computed  by: 

7y(t)  =  WlTt;timacy(.t) + w2rynesty{.t) 

+w3Tlyergy(t )  +  w4Tyselfishness(t)  ' 1  ’ 

where  w\,  w2,  w3,  and  w4  are  weights  associated  with  these  four 
trust  components  with  w\  +  w2  +  w3  +  w4  =  1 . 

3.1  Peer-to-Peer  Trust  Evaluation 

Here  we  describe  how  peer-to-peer  trust  evaluation  is  conducted, 
particularly  between  two  SNs  or  two  CHs.  When  a  trustor  (node  i) 
evaluates  a  trustee  (node  j)  at  time  t ,  it  updates  Tj  (£)  where  X 
indicates  a  trust  component  as  follows: 

(1  -  a)TtXj  (t  -  At)  +  aTXj'direct (t), 
if  i  and  j  are  neighbors; 

avg {y7#  (t  -  At)  +  (1  -  Y)Tkyecom(t)},  (2) 

kENi 

otherwise. 

In  Equation  2,  if  node  i  is  a  1-hop  neighbor  of  node  j,  node  /  will 
use  its  direct  observations  (j*’direct (t))  and  past  experiences 
(Tij  (t  —  At)  where  At  is  a  trust  update  interval)  toward  node  j  to 
update  A  parameter  a  (0  <  a  <  1)  is  used  here  to  weight 
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these  two  contributions  and  to  consider  trust  decay  over  time.  A 
larger  a  means  that  trust  evaluation  will  rely  more  on  direct 
observations.  Here  j^direct(j^  indicates  node  V  s  trust  value 
toward  node  j  based  on  direct  observations  accumulated  over  the 
time  period  [0,  t]  possibly  with  a  higher  priority  given  to  recent 
interaction  experiences  over  the  time  period  [t  —  At,  t].  Below  we 
describe  how  each  trust  component  value  j*’direct  (t)  can  be 
obtained  based  on  direct  observations: 

•  Tu  (t): This  measures  the  level  ot  interaction 

experiences.  It  is  computed  by  the  number  of  interactions  between 
nodes  i  and  j  over  the  maximum  number  of  interactions  between 
node  /  and  any  neighbor  node  over  the  time  period  [0,  t]. 

•  Tdonesty’direct  (f):  This  refers  to  the  belief  of  node  i  that  node  j 
is  not  compromised  based  on  node  z’s  direct  observations  toward 
node  j.  It  can  be  a  binary  quantity,  0  or  1 ,  based  on  the  result  of 
IDS  deployed  on  node  /  about  whether  or  not  node  j  is 
compromised  at  time  t. 

•  j^er9y’direct  This  indicates  the  percentage  of  node  f  s 
remaining  energy  that  node  i  directly  observes  at  time  t.  Node  i 
can  overhear  or  even  monitor  node  f  s  packet  transmission 
activities  over  the  time  period  [0,  t]  to  estimate  j^er9y>direct 

.  T“nselfishness'direct(t)-.This  provides  the  degree  of 
unselfishness  of  node  j  as  evaluated  by  node  /  based  on  direct 
observations  over[0,  t].Node  i  can  apply  overhearing  and 
snooping  techniques  to  detect  selfishness  behaviors  and  may  give 
recent  interaction  experiences  a  higher  priority  over  old 

rjiunself  ishness, direct  s.\ 

experiences  m  estimating  i . .  (t). 

On  the  other  hand,  if  node  i  is  not  a  1-hop  neighbor  of  node  y, 
node  i  will  use  its  past  experiences  (fj  (t  —  At))  and 
recommendations  {T^jrecom{t)  where  k  is  a  recommender)  to 
update  Tjj  (t) .  A  parameter  y  is  used  here  to  weight  these  two 
contributions  and  to  consider  trust  decay  over  time  as  follows: 

1 

y  -  ~  ~  ^honesty  (t)  (3) 

Here  we  introduce  another  parameter  p  >  0  to  specify  the  impact 
of  “indirect  recommendations”  on  T/f(t)  such  that  the  weight 
assigned  to  indirect  recommendations  is  normalized  to 
pT^onesty  (t)  relative  to  1  assigned  to  past  experiences. 
Essentially,  the  contribution  of  recommended  trust  increases 
proportionally  as  either  T^onesty(t)  or  increases.  Instead  of 
having  a  fixed  weight  ratio  j^onesty^  to  1  for  the  special  case  in 
which  P  =  1,  we  allow  the  weight  ratio  to  be  adjusted  by 
adjusting  the  value  of  /?  and  test  its  effect  on  protocol  resiliency 
against  malicious  recommendation  attacks  such  as  good-mouthing 
and  bad-mouthing  attacks.  Here,  j!^onesty  (t)  is  nocie  fs  honesty 
trust  value  toward  node  k  as  a  recommender  (for  node  i  to  judge  if 
node  k  provides  correct  information).  We  note  that  node  i  can 
choose  all  its  1-hop  neighbors (iV;)  as  recommenders.  The  new 
trust  value  7)y(t)  in  this  case  would  be  the  average  of  the 
combined  trust  values  of  past  trust  information  and 
recommendations  collected  at  time  t. 

3.2  CH-to-SN  Trust  Evaluation 

Each  SN  reports  its  trust  evaluation  toward  other  SNs  in  the  same 
cluster  to  its  CH.  The  CH  then  applies  statistical  analysis 


principles  to  7);(t)  values  received  to  perform  CH-to-SN  trust 
evaluation  towards  node  j.  Further,  the  CH  can  also  leverage 
Tij(t)  values  received  to  detect  if  there  is  any  outlier  as  an 
evidence  of  good-mouthing  or  bad-mouthing  attacks.  Based  on 
the  resulting  CH-to-SN  trust  evaluation  result  toward  node  j,  the 
CH  determines  whether  node  j  needs  to  be  excluded  from  sensor 
reading  and  routing  duties. 

4.  PERFORMANCE  MODEL 

We  develop  a  probability  model  based  on  stochastic  Petri  nets 
(SPN)  [9]  techniques  to  describe  the  behavior  of  each  SN  or  CH 
in  a  WSN.  It  provides  a  basis  for  obtaining  global  status  of  nodes 
in  the  system,  thereby  allowing  us  to  derive  objective  trust  against 
which  subjective  trust  obtained  as  a  result  of  executing  our 
hierarchical  trust  management  protocol  can  be  checked  and 
validated.  We  use  SPN  as  our  analytical  tool  due  to  its  capability 
to  represent  a  large  number  of  states  for  complex  systems  where 
an  underlying  model  is  a  semi-Markov  or  Markov  model.  Further, 
we  develop  novel  iterative  hierarchical  modeling  techniques  to 
avoid  state  explosion  problems  and  to  yield  efficient  solutions. 
Figure  1  shows  the  SPN  model  that  describes  the  behavior  of  a  SN 
(or  a  CH).  We  consider  a  heterogeneous  WSN  consisting  of  N 
SNs  uniformly  distributed  in  an  M  by  M  square-shaped 
operational  area.  Each  SN  is  attached  to  a  CH  based  on  its 
location  and  so  the  system  will  have  NCh  clusters  with  NCh  CHs. 
CHs  and  SNs  have  radio  range  of  R  and  r  respectively.  The  trust 
update  interval  is  At.  Nodes  are  stationary  after  the  initial 
deployment. 

Below  we  explain  how  we  construct  the  SPN  model  for  describing 
the  behaviors  of  a  single  node  and  how  we  compose  a 
performance  model  for  the  entire  WSN  using  a  number  of  such 
SPN  models  (one  for  each  node  in  the  system). 


TENERGY  TSELFISH  TREDEMP 


TCOMPRO  TIDS 


Figure  1:  SPN  Model  for  a  Sensor  Node  or  a  Cluster  Head. 

•  Energy:  Place  Energy  indicates  the  remaining  energy  level  of 
the  node.  The  initial  number  of  tokens  in  place  Energy  is  set  to 
Einit.  A  token  will  be  released  from  place  Energy  when  transition 
T  ENERGY  is  triggered.  The  rate  of  transition  T  ENERGY 
indicates  the  energy  consumption  rate.  A  CH  consumes  more 
energy  than  a  SN.  The  energy  consumption  rate  is  also  affected  by 
a  node’s  state.  It  is  lower  when  a  node  becomes  selfish.  It  is 
higher  when  a  node  is  compromised  because  it  takes  energy  to 
perform  attacks.  We  denote  AE_sensor,  AE_CH  and 
AE -compromised  as  the  energy  consumption  rates  per  At  time  for  a 
normal  SN,  a  normal  CH,  and  a  compromised  node,  respectively, 
which  can  be  obtained  by  analyzing  historical  data  with 
A E-sensor  ^  ^e-ch  ^  ^e- compromised.  Thus,  the  energy 
consumption  rates  for  a  selfish  SN  and  a  selfish  CH  are 
pAs~ sensor  and  P^e-ch  Per  At  time  unit,  respectively,  where  p 
is  the  rate  of  the  energy  consumption  of  a  selfish  node. 

•  Selfishness:  We  model  the  selfish  behavior  of  a  node  as  follows: 
A  node  may  become  selfish  to  save  energy.  A  selfish  node  may 
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stop  reading  data  and  drop  packets  it  receives.  An  unselfish  node 
may  decide  whether  it  will  be  selfish  or  not  upon  every  time 
interval  Ts  according  to  its  remaining  energy  and  the  number  of 
unselfish  neighbors.  A  selfish  node  can  be  redeemed  as  unselfish 
based  on  trust  evaluation  performed  in  every  trust  update  interval 
(At).  We  model  these  behaviors  by  putting  a  token  into  place  SN 
when  transition  T  SELFISH  is  triggered  and  removing  the  token 
from  place  SN  when  transition  TREDEMP  is  triggered.  A  token 
in  place  SN  thus  indicates  that  the  node  is  selfish.  A  node’s  selfish 
probability  is  modeled  by: 


' selfish 


1  /  F  *,unselfish\ 

L  n consumed  neighbor  \ 


Einit 


N, 


neighbor 
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where  Econsumed  is  energy  consumed  and  Einit  is  the  node’s 
initial  energy  level.  Thus  Econsumed/Einit  represents  the 

percentage  of  energy  consumed.  Neighbor  /Neighbor  is  the 
percentage  of  unselfish  neighbors  where  Neighbor  's  th®  number 
of  unselfish  neighbors  and  Nneighbor  is  the  total  number  of 
neighbors.  A  node’s  selfish  probability  tends  to  be  lower  when  a 
node  has  more  energy  and  higher  when  the  node  has  more 
unselfish  neighbors  as  there  are  sufficient  unselfish  neighbors 
around  to  take  care  of  sensor  tasks.  Thus,  the  rates  of  transitions 
T  SELFISH  and  T  REDEMP  are  given  by  Pseifish/Ts  and 
(1  —  Pseifish)/kt  respectively.  We  assume  all  nodes  are  unselfish 
initially  with  no  token  in  place  SN. 


•  Honesty:  A  node  becomes  compromised  when  transition 
TCOMPRO  fires  and  a  token  is  put  in  place  CN.  The  rate  to 
TCOMPRO  is  modeled  by: 
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where  Ac-init  is  the  initial  node  compromising  rate  which  can  be 
obtained  by  first-order  approximation  based  on  historical  data 
about  the  targeted  network  environments.  Einit  and  Eremain 
indicate  a  node’s  initial  energy  and  remaining  energy, 
respectively.  Nnei/hbor  and  Nneighbyor  are  the  numbers  of 
compromised  and  healthy  (not  compromised)  nodes  in  the 

neighborhood.  /Ktilhbor  refers  t0  the  ratio  of  the 

number  of  compromised  1-hop  neighbors  to  the  number  of 
healthy  1-hop  neighbors.  Equation  5  models  that  a  node  is  more 
likely  to  be  compromised  when  it  has  low  energy  to  perform 
energy-consuming  defense  mechanisms,  and  when  there  are  more 
1-hop  neighboring  compromised  nodes  around  it  due  to  their 
collusive  attacks.  We  model  the  IDS  behavior  through  transition 
TIDS.  A  compromised  node  can  be  caught  by  IDS  with  the  rate 
(1  —  Pfn)/TiDS  f°r  transition  T  IDS  where  Pfn  is  the  IDS  false 
negative  probability  and  Tws  is  the  IDS  detection  interval.  When 
a  compromised  node  is  caught  by  IDS,  a  token  will  move  to  place 
DCN.  In  addition,  we  model  false  positives  generated  by  the  IDS 
(i.e.,  diagnosing  a  good  node  as  a  bad  node)  by  associating  a  rate 
of  PfP/TIDS  with  transition  T  IDS  which  is  enabled  only  when  the 
node  is  not  compromised,  that  is,  when  there  is  no  token  in  place 
CN.  Note  that  all  nodes  are  healthy,  i.e.,  not  compromised, 
initially. 


The  overall  performance  model  for  describing  the  behaviors  of  a 
WSN  consists  of  N  SPN  subnet  models  one  for  each  SN,  and  NCH 
SPN  subnet  models  one  for  each  CH,  with  vastly  different  energy 
consumption,  selfish/redemption  and  compromise  rates.  Below  we 


describe  how  one  could  leverage  SPN  outputs  to  obtain  subjective 
trust  and  objective  trust  values  for  performance  evaluation  of  our 
hierarchical  trust  management  protocol. 


4.1  Subjective  Trust  Evaluation 


Table  1:  Instantaneous  Subjective  Trust  j1i:dlrect (t)  for 
Component  X  based  on  Direct  Observations. 


Item 

Value 

Condition  (of  nod ej) 

j,  intimacy, direct 

a/c  Ifmark{SN) 

b  /  c 

1 

=  1  AND  mark(CN)  =  0 
Ifmark(CN)  =  1 
Otherwise 

jhonesty, direct  ^ 

1 

0 

If  mark(DCN)  =  0 
Otherwise 

j  energy, direct  ^ 

mar k(Energy)/ Einit 

none 

junselfishness,  direct 

1 

0 

Ifmark{SN)  =  0 
Otherwise 

Recall  that  under  our  proposed  trust  management  protocol,  node  i 
will  subjectively  assess  its  trust  toward  node j,  T^-(t),  based  on  its 
direct  observations  and  indirect  recommendations  obtained  toward 
node  j  according  to  Equations  1  and  2.  In  particular,  node  i  will 
apply  monitoring,  snooping  and  overhearing  techniques  to  watch 
node  j  (a  1-hop  neighbor  to  node  i)  closely  to 
compute  T*’direct(j^  based  on  direct  observations  over  the  time 


period  [0,  t].  As  a  result,  T*'direct  (t)  computed  by  node  /  will 
fairly  accurately  reflect  actual  status  of  node  j  at  time  t. 
Leveraging  the  SPN  model  developed  which  provides  actual 
status  of  each  node  dynamically,  we  can  easily  obtain  this 
instantaneous  subjective  trust  T^’direct  (t)  of  node  i  toward  node 
j  in  component  X  at  time  t  as  listed  in  Table  1.  In  particular, 

jhonesty, direct  ^  j  energy, dir  e ct  rgunse^Psdness>d^rect 


can  be  easily  computed  by  simply  checking  the  status  of  node  j  at 
time  t  in  node  f  s  SPN  model;  p™timacy’direct  (f)  js  computed 
based  on  interaction  experiences  for  packet  forwarding  events. 
We  consider  four  types  of  interactions,  given  that  node  i  is  the 
initiating  node:  (1)  Requesting :  Node  /  broadcasts  a  packet 
delivery  request  to  its  1-hop  neighbors;  (2)  Reply :  Nodes  that  are 
closer  to  the  destination  node  than  node  i  will  reply  to  node  /;  (3) 
Selection :  Node  i  selects  up  to  L  nodes  with  the  highest  trust 
values  to  forward  the  packet;  (4)  Overhearing :  Node  i  overhears  if 
the  packet  has  been  forwarded. 


In  practice,  node  i  will  keep  track  of  its  interaction  experiences 
with  node  j  to  compute  T '™timacy’direct  (ty  Let  the  average 
numbers  of  interactions  of  node  i  with  a  selfish  node,  a 
compromised  node  and  a  normal  node  be  a ,  b  and  c,  respectively. 
Then  the  instantaneous  subjective  trust  T™timacy>direct ^  0f  noc[e 
i  toward  node  j  based  on  direct  observations  will  be  a/c,  btc ,  or 
etc,  respectively,  depending  on  if  node  j  is  a  selfish  node,  a 
compromised  node,  or  a  normal  node.  The  values  of  a,  b,  c  are 
computed  dynamically.  Below  we  predict  their  values  from  node 
V s  perspective  for  the  case  in  which  a  selfish  node  drops  50%  of 
packets  and  a  compromised  node  drops  100%  of  packets.  On  the 
one  hand,  if  node  i  requests  a  neighbor  to  forward  a  packet  then 
(1)  the  expected  number  of  interactions  between  node  i  and  a 
selfish  node  j  is  25%x50%x3  because  there  will  be  three 
interactions  (reply,  selection,  and  overhearing)  only  if  the  selfish 
node  is  in  a  quadrant  closer  to  the  destination  node  (with  25% 
probability)  and  does  not  drop  the  packet  (with  50%  probability); 
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(2)  the  expected  number  of  interactions  between  node  z  and  a 
compromised  node  j  is  0  because  a  compromised  node  discards  all 
requests  from  node  z;  and  (3)  the  expected  number  of  interactions 
between  node  z  and  a  normal  node  j  is  25% x 3  because  there  will 
be  three  interactions  only  if  that  node  is  in  a  quadrant  closer  to  the 
destination  node  (with  25%  probability).  On  the  other  hand,  if 
node  z  receives  a  request  from  node  j  to  forward  a  packet,  the 
expected  number  of  interactions  will  be  25%x2  because  from 
node  z’s  perspective  there  will  be  two  interactions  (reply  and 
selection)  only  if  node  z  is  in  the  quadrant  closer  to  the  target 
node.  Summarizing  above,  we  can  predict: 

a  =  25%  x  50%  x  3  +  25%  x  2; 

b  =  0  +  25%  X  2;  (6) 

c  =  25%  x  3  +  25%  x  2. 

Once  T^'direct(t)is  computed,  note  z  will  compute  7^  (t)  based 
on  Equation  2  and  subsequently  compute  Ttj  (t)  based  on 
Equation  1. 


4.2  Objective  Trust  Evaluation 

To  validate  subjective  trust  evaluation,  we  compute  objective  trust 
based  on  actual  status  as  provided  by  the  SPN  model  output.  The 
objective  trust  value  of  node  j,  Tj  obj(t ),  is  also  a  weighted  linear 
combination  of  four  trust  component  values: 


7/,o&/(0  —  wiT/ 


intimacy  , 


r  honesty 


CO 


J,obJ  (t)  +  W2Tj  °£j 
energy  ijf  Tunsel  fishness  ^ 

energy  ( 


+w3Tj,„tj  h)  + 

honesty 
j.obj 


(7) 


and 


where  7}“cy(t),  T™(t), 

TjU™jlflshness (£)  can  be  obtained  directly  from  the  SPN  model 
output  reflecting  node /  s  actual  status  at  time  t. 


5.  TRUST  EVALUATION  RESULTS 


Table  2:  Default  Parameter  Values  Used. 


Param 

Value 

Param 

Value 

Param 

Value 

M 

900m 

R 

150m 

r 

50  m 

N 

900 

Nch 

81 

At 

10mm. 

a 

0.5 

p 

0.5 

1/ ^ c-init 

[4,18  ]hrs 

A E-sensor 

10mm. 

Ae-ch 

20  min. 

A  E-compromised 

30min. 

P 

1/3 

Rids 

10  min. 

PfP’Pfn 

0.5% 

Ts 

[10,60]mm. 

Wi,  W2,W3,  W4 

0.25 

Em  [1 8,24 ]hrs  for  SNs,  [36,48 ]hrs  for  CHs. 

In  this  section,  we  show  numerical  results  obtained  through 
model-based  evaluation  as  described  in  Section  4.  Table  2  lists 
default  parameters  used.  We  consider  a  WSN  with  900  SNs  (and 
81  CHs)  evenly  spread  out  in  a  900m* 900m  operational  area 
based  on  uniform  distribution.  We  set  radio  range  R=\50m  and 
r=50m.  The  initial  energy  lifetime  of  a  SN  varies  from  18/zrs  to 
24 hrs  while  the  CHs  have  much  higher  initial  energy  lifetime 
ranging  from  3 6hrs  to  48/zrs.  The  WSN  is  assumed  to  be  deployed 
in  a  hostile  environment  with  the  node’s  average  compromising 
interval  in  the  range  of  Ahrs  to  18/zrs.  We  consider  the  worst  case 
of  good-mouthing  (providing  the  highest  trust  value  of  1  for  a 
malicious  node)  and  bad-mouthing  attacks  (providing  the  lowest 
trust  value  of  0  against  a  good  node).  Further,  we  use  Pfp  -  Pfn  ~ 
0.5%  which  deems  acceptable  [2].  Below  we  present  CH-to-SN 
trust  evaluation  results  for  a  SN  arbitrarily  chosen  based  on  peer- 
to-peer  trust  evaluation  results  reported  by  other  SNs  in  the  same 
cluster,  and  compare  them  against  objective  trust  evaluated  based 
on  the  SN’s  actual  status.  We  vary  parameter  values  to  reflect 


changes  to  the  environmental  and  operational  condition  and  test 
their  effects  on  subjective  vs.  objective  trust  values  obtained.  The 
node  is  a  good  node  at  time  t= 0  and  then  becomes  a  bad  node 
based  on  its  compromise  rate. 

Figure  2  compares  subjective  trust  (using  equal  weight  with 
W!:w2:w3:w4=0.25:0.25:0.25:0.25)  vs.  objective  trust  obtained, 
with  a  varying  over  a  wide  range  (using  a  larger  a  indicates  that 
subjective  trust  evaluation  relies  more  on  direct  observations 
compared  with  past  experiences).  We  fix  ft  to  0.5  to  isolate  out  its 
effect.  We  observe  that  subjective  trust  initially  approaches 
objective  trust  as  more  recent  direct  observations  are  used. 
However,  we  also  observe  a  crossover  time  point  (for  a  >  0.5) 
after  which  subjective  trust  is  lower  than  objective  trust.  This 
implies  that  when  sufficiently  large  amount  of  direct  information 
is  used  for  trust  evaluation,  subjective  trust  tends  to  be 
underestimated  but  does  not  cause  any  risk  by  over-trusting  a 
trustee. 
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Figure  2:  Effect  of  a  on  Trust  Evaluation. 
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Figure  3:  Effect  of  /?  on  Trust  Evaluation. 

Figure  3  shows  the  effect  of  ft  on  subjective  trust.  A  higher  ft 
value  indicates  that  subjective  trust  evaluation  relies  more  on 
indirect  recommendations  provided  by  the  recommenders 
compared  with  past  experiences.  We  vary  ft  from  0.1  to  8.0  to 
cover  a  wide  range  of  possible  values  with  a  fixed  at  0.5  to  isolate 
out  its  effect.  One  can  see  that  the  subjective  trust  value 
approaches  the  objective  trust  value  as  ft  increases,  but 
underestimates  the  trust  value  once  a  cross-over  time  point  is 
reached  particularly  for  /?  >  1 . 

Figures  2  and  3  show  that  a  =  0.5  and  /?  =  0.5  yield  subjective 
trust  values  very  close  to  objective  trust  values  with  the  mean 
square  error  percentage  less  than  1%.  The  choice  of  the  best  a  and 
P  values  depends  on  the  given  set  of  parameter  values  as  those 
listed  in  Table  2  characterizing  the  environmental  and  operational 
conditions.  The  model-based  analysis  methodology  developed  in 
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the  paper  allows  the  best  combination  of  a  and  /?  values  to  be 
determined.  Overall,  we  observe  a  close  correlation  between 
subjective  trust  evaluation  and  objective  trust  evaluation,  thus 
supporting  our  claim  that  subjective  trust  obtained  as  a  result  of 
executing  our  proposed  hierarchical  trust  management  protocol 
approaches  true  objective  trust. 

6.  APPLICATION:  TRUST-BASED 
GEOGRAPHIC  ROUTING 

We  apply  the  proposed  hierarchical  trust  management  protocol  to 
trust-based  geographic  routing  as  an  application.  In  geographic 
routing ,  a  node  disseminates  a  message  to  a  maximum  of  L 
neighbors  closest  to  the  destination  node  (or  the  sink  node).  In 
trust-based  geographical  routing ,  node  i  forwards  a  message  to  a 
maximum  of  L  neighbors  not  only  closest  to  the  destination  node 
but  also  with  the  highest  trust  values  7\y(t).  We  conduct  a 
performance  analysis  to  compare  our  trust-based  geographical 
routing  protocol  with  baseline  routing  protocols,  namely, 
flooding-based  [11]  and  traditional  geographic  routing.  In 
flooding-based  routing ,  a  node  floods  a  message  to  all  its 
neighbors  until  a  copy  of  the  packet  reaches  the  destination  node. 
It  yields  the  highest  message  delivery  ratio  and  the  lowest 
message  delay  at  the  expense  of  the  highest  message  overhead. 

Recall  that  for  all  routing  protocols,  the  source  SN  first  forwards  a 
message  to  its  CH  (through  multiple  hops  if  necessary).  Then,  the 
CH  forwards  the  message  to  the  sink  node  through  other  CHs. 
Without  loss  of  generality,  we  normalize  the  average  delay  for 
forwarding  a  message  between  two  neighboring  SNs  to  r.  The 
average  delay  between  two  neighboring  CHs  is  normalized  to  2r. 
We  collect  data  for  delivering  1000  messages,  each  with  a  source 
sensor  and  a  sink  node  randomly  selected.  We  consider  two  cases: 
L=1  and  L=2  for  both  trust-based  geographic  routing  and 
geographic  routing.  We  use  the  optimal  set  of  (a,  /?)=(0.5,  0.5) 
identified  in  Section  5  to  ensure  subjective  trust  is  close  to 
objective  trust.  We  also  use  parameter  values  as  listed  in  Table  2 
for  characterizing  environmental  and  operational  conditions.  In 
the  comparative  analysis,  we  vary  the  degree  of  selfish  or 
compromised  nodes  from  0%  to  90%.  Note  that  30%  of 
compromised  or  selfish  nodes  means  that  30%  of  nodes  are 
compromised  or  selfish  in  the  system  without  a  fixed  ratio  being 
used  for  these  two  types  of  nodes. 

Figure  4  shows  the  message  delivery  ratio  under  various  routing 
protocols.  Our  trust-based  geographic  routing  protocol  (L=  1  or 
L= 2)  outperforms  traditional  geographic  routing  (L=  1  or  L=2)  and 
approaches  flooding-based  routing,  especially  as  the  percentage  of 
compromised  or  selfish  nodes  increases.  The  delivery  ratio  for  all 
three  routing  protocols  drops  below  0.1  when  the  percentage  of 
compromised  or  selfish  nodes  is  higher  than  80%.  We  observe 
that  even  the  message  delivery  ratio  of  our  trust-based  geographic 
routing  without  redundancy  ( L=1 )  is  higher  than  that  of  the 
geographic  routing  with  redundancy  ( L=2 )  when  the  percentage 
of  compromised  or  selfish  nodes  is  higher  than  40%.  We  attribute 
this  to  the  ability  of  trust-based  geographic  routing  being  able  to 
successfully  avoid  forwarding  messages  to  untrustworthy  nodes 
based  on  7^- (t)  values  obtained  from  our  hierarchical  trust 
management  protocol. 

Figure  5  shows  the  average  delay  for  those  messages  that  are 
successfully  delivered  under  various  routing  protocols.  Flooding- 
based  routing  has  the  best  performance  since  it  can  always  find 
the  shortest  path  to  reach  the  destination  sink  node  through 


flooding.  Geographic  routing  ( L=1  or  L=2)  has  almost  the  same 
performance  with  flooding-based  routing  due  to  its  greedy  nature 
for  selecting  nodes  closest  to  the  destination  sink  node  for 
message  forwarding.  Trust-based  geographic  routing  with  L=  1  has 
the  highest  delay  but  with  L= 2  approaches  the  performance  of 
flooding-based  routing  and  geographic  routing.  The  average  delay 
of  all  routing  protocols  drops  as  the  percentage  of  compromised  or 
selfish  nodes  increases.  Further,  the  average  delay  of  all  routing 
protocols  is  below  3r  when  the  percentage  of  compromised  or 
selfish  nodes  is  higher  than  80%  since  the  message  can  be 
successfully  delivered  only  if  the  source  sensor  and  the  sink  node 
are  close  to  each  other. 


♦  Trust-based  Geographic  Routing  (L=l) 


Figure  4:  Message  Delivery  Ratio. 

»  Trust-based  Geographic  Routing  (L=l) 


Figure  5:  Message  Delay. 


Figure  6:  Message  Delay  with  Source  Sensor  and  Sink  Node  at 
a  Distance  Away. 

Figure  6  shows  the  average  delay  for  those  messages  that  are 
successfully  delivered  for  a  special  case  in  which  the  source  SN 
and  the  sink  node  are  at  least  a  distance  (700m)  away.  We  create 
this  case  to  ensure  there  are  sufficient  intermediate  nodes  on  any 
path  to  reach  the  sink  node.  Compared  with  Figure  5,  we  observe 
(a)  trust-based  geographic  routing  with  L= 2  again  approaches 
flooding-based  routing,  especially  as  the  percentage  of 
compromised  or  selfish  nodes  increases;  (b)  traditional  geographic 
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routing  with  L=  1  fails  to  deliver  any  message  when  the  percentage 
of  compromised  or  selfish  nodes  is  higher  than  50%  because  there 
is  no  short  route  to  reach  the  destination  node  over  a  long 
distance,  while  trust-based  geographical  routing  with  L=  1  can  still 
deliver  messages;  (c)  the  message  delivery  delay  increases  as  the 
percentage  of  compromised  or  selfish  nodes  increases  due  to  more 
messages  being  dropped  by  selfish  or  malicious  nodes  resided  on 
shorter  routes. 


Figure  7:  Message  Overhead. 

Figures  4-6  above  suggest  that  trust-based  geographical  routing 
with  L= 2  can  achieve  ideal  performance  in  message  delivery  ratio 
and  message  delay.  Below  we  study  the  message  overhead  issues. 
Figure  7  shows  the  message  overhead  in  terms  of  the  number  of 
message  copies  propagated  before  the  destination  sink  node 
receives  one  copy.  Both  geographic  routing  and  trust-based 
geographic  routing  perform  significantly  better  than  flooding- 
based  routing.  Trust-based  geographical  routing  incurs  more 
message  overhead  than  traditional  geographical  routing  because 
the  path  selected  by  trust-based  geographical  routing  is  often  the 
most  trustworthy  path,  not  necessarily  the  shortest  path. 
Nevertheless,  we  observe  that  the  overhead  increase  of  trust-based 
geographical  routing  over  traditional  geographical  routing  is  small 
compared  with  that  of  flooding-based  routing  over  traditional 
geographical  routing.  The  system  thus  can  effectively  trade  off 
message  overhead  for  message  delivery  ratio  and  message  delay. 
Finally,  we  observe  that  the  number  of  message  copies  propagated 
for  all  three  routing  protocols  is  close  to  3  when  the  percentage  of 
compromised  or  selfish  nodes  is  higher  than  80%.  The  reason  is 
that  the  message  can  be  successfully  delivered  only  when  the 
source  node  and  the  sink  node  are  close  to  each  other.  Otherwise, 
there  is  a  high  probability  that  compromised  and  selfish  nodes 
reside  on  a  long  route  will  drop  the  message  copies  received. 

Overall  Figures  4-7  demonstrate  that  our  trust-based  geographic 
routing  protocol  with  L= 2  can  significantly  improve  the  delivery 
ratio  and  message  delay  (close  to  those  of  flooding-based  routing) 
in  the  presence  of  compromised  or  selfish  nodes,  without 
sacrificing  too  much  message  overhead.  Here  we  note  that  the 
system  can  effectively  trade  off  message  overhead  (energy 
consumption)  for  high  delivery  ratio  and  low  message  delay  by 
adjusting  the  level  of  redundancy  ( L ).  As  L  increases  the 
performance  of  our  trust-based  geographical  routing  protocol  in 
delivery  ratio  and  message  delay  will  approach  that  of  flooding- 
based  routing. 

7.  CONCLUSION 

In  this  paper,  we  proposed  a  hierarchical  trust  management 
protocol  for  cluster-based  wireless  sensor  networks,  considering 
two  aspects  of  trustworthiness,  namely,  social  trust  and  QoS  trust. 


We  developed  a  probability  model  utilizing  stochastic  Petri  nets 
techniques  to  quantitatively  analyze  the  protocol  performance,  and 
validated  subjective  trust  against  objective  trust  obtained  based  on 
actual  node  status.  We  applied  our  hierarchical  trust  management 
protocol  to  trust-based  geographic  routing  and  demonstrated  that 
our  trust-based  geographic  routing  performs  close  to  the  ideal 
performance  of  flooding-based  routing  in  delivery  ratio  and 
message  delay  without  sacrificing  much  in  message  overhead 
compared  with  traditional  geographic  routing  protocols  which 
does  not  use  trust. 
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